lasso/0004-Mass-replace-LASSO_SIGNATURE_METHOD_RSA_SHA1-with-la.patch

From 0d34c97be1c761a9eb12692e4cc4eac58feb7d19 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 15 Jun 2021 14:45:14 +0200
Subject: [PATCH 4/7] Mass-replace LASSO_SIGNATURE_METHOD_RSA_SHA1 with
 lasso_get_default_signature_method() (#54037)

This should be backwards-compatible but at the same time use the
selected default instead of RSA-SHA1.

Related:
https://dev.entrouvert.org/issues/54037
---
 lasso/id-ff/defederation.c            | 2 +-
 lasso/id-ff/logout.c                  | 6 +++---
 lasso/id-ff/name_identifier_mapping.c | 4 ++--
 lasso/id-ff/name_registration.c       | 4 ++--
 lasso/id-ff/provider.c                | 2 +-
 lasso/xml/tools.c                     | 2 +-
 tests/basic_tests.c                   | 6 +++---
 7 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/lasso/id-ff/defederation.c b/lasso/id-ff/defederation.c
index d711e4eed..d2382f4ae 100644
--- a/lasso/id-ff/defederation.c
+++ b/lasso/id-ff/defederation.c
@@ -251,7 +251,7 @@ lasso_defederation_init_notification(LassoDefederation *defederation, gchar *rem
 				nameIdentifier,
 				profile->server->certificate ?
 					LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
-				LASSO_SIGNATURE_METHOD_RSA_SHA1);
+				lasso_get_default_signature_method());
 		if (profile->msg_relayState) {
 			message(G_LOG_LEVEL_WARNING,
 					"RelayState was defined but can't be used "\
diff --git a/lasso/id-ff/logout.c b/lasso/id-ff/logout.c
index 20d04ed82..d307db586 100644
--- a/lasso/id-ff/logout.c
+++ b/lasso/id-ff/logout.c
@@ -396,7 +396,7 @@ lasso_logout_build_response_msg(LassoLogout *logout)
 						profile->server->certificate ?
 						LASSO_SIGNATURE_TYPE_WITHX509 :
 						LASSO_SIGNATURE_TYPE_SIMPLE,
-						LASSO_SIGNATURE_METHOD_RSA_SHA1));
+						lasso_get_default_signature_method()));
 		} else if (profile->http_request_method == LASSO_HTTP_METHOD_REDIRECT) {
 			lasso_assign_new_gobject(profile->response,
 					lasso_lib_logout_response_new_full(
@@ -608,7 +608,7 @@ lasso_logout_init_request(LassoLogout *logout, char *remote_providerID,
 				nameIdentifier,
 				profile->server->certificate ?
 				LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
-				LASSO_SIGNATURE_METHOD_RSA_SHA1);
+				lasso_get_default_signature_method());
 	} else { /* http_method == LASSO_HTTP_METHOD_REDIRECT */
 		is_http_redirect_get_method = TRUE;
 		lib_logout_request = (LassoLibLogoutRequest*)lasso_lib_logout_request_new_full(
@@ -990,7 +990,7 @@ lasso_logout_validate_request(LassoLogout *logout)
 				logout_request,
 				profile->server->certificate ?
 					LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
-				LASSO_SIGNATURE_METHOD_RSA_SHA1));
+				lasso_get_default_signature_method()));
 	}
 	if (profile->http_request_method == LASSO_HTTP_METHOD_REDIRECT) {
 		lasso_assign_new_gobject(profile->response, lasso_lib_logout_response_new_full(
diff --git a/lasso/id-ff/name_identifier_mapping.c b/lasso/id-ff/name_identifier_mapping.c
index 80af6fec4..f84020eb6 100644
--- a/lasso/id-ff/name_identifier_mapping.c
+++ b/lasso/id-ff/name_identifier_mapping.c
@@ -259,7 +259,7 @@ lasso_name_identifier_mapping_init_request(LassoNameIdentifierMapping *mapping,
 			targetNamespace,
 			profile->server->certificate ?
 				LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
-			LASSO_SIGNATURE_METHOD_RSA_SHA1);
+			lasso_get_default_signature_method());
 	if (LASSO_IS_LIB_NAME_IDENTIFIER_MAPPING_REQUEST(profile->request) == FALSE) {
 		return critical_error(LASSO_PROFILE_ERROR_BUILDING_REQUEST_FAILED);
 	}
@@ -458,7 +458,7 @@ lasso_name_identifier_mapping_validate_request(LassoNameIdentifierMapping *mappi
 			request,
 			profile->server->certificate ?
 				LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
-			LASSO_SIGNATURE_METHOD_RSA_SHA1);
+			lasso_get_default_signature_method());
 
 	if (LASSO_IS_LIB_NAME_IDENTIFIER_MAPPING_RESPONSE(profile->response) == FALSE) {
 		return critical_error(LASSO_PROFILE_ERROR_BUILDING_RESPONSE_FAILED);
diff --git a/lasso/id-ff/name_registration.c b/lasso/id-ff/name_registration.c
index 11dbf24fe..076cf9624 100644
--- a/lasso/id-ff/name_registration.c
+++ b/lasso/id-ff/name_registration.c
@@ -339,7 +339,7 @@ lasso_name_registration_init_request(LassoNameRegistration *name_registration,
 			idpNameIdentifier, spNameIdentifier, oldNameIdentifier,
 			profile->server->certificate ?
 				LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
-			LASSO_SIGNATURE_METHOD_RSA_SHA1);
+			lasso_get_default_signature_method());
 	if (profile->request == NULL) {
 		return critical_error(LASSO_PROFILE_ERROR_BUILDING_REQUEST_FAILED);
 	}
@@ -575,7 +575,7 @@ lasso_name_registration_validate_request(LassoNameRegistration *name_registratio
 			LASSO_LIB_REGISTER_NAME_IDENTIFIER_REQUEST(profile->request),
 			profile->server->certificate ?
 				LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,
-			LASSO_SIGNATURE_METHOD_RSA_SHA1);
+			lasso_get_default_signature_method());
 	if (LASSO_IS_LIB_REGISTER_NAME_IDENTIFIER_RESPONSE(profile->response) == FALSE) {
 		return critical_error(LASSO_PROFILE_ERROR_BUILDING_RESPONSE_FAILED);
 	}
diff --git a/lasso/id-ff/provider.c b/lasso/id-ff/provider.c
index 32a907d43..961c3669d 100644
--- a/lasso/id-ff/provider.c
+++ b/lasso/id-ff/provider.c
@@ -1274,7 +1274,7 @@ lasso_provider_load_public_key(LassoProvider *provider, LassoPublicKeyType publi
 
 	if (public_key != NULL) {
 		xmlSecKey *key = lasso_xmlsec_load_private_key(public_key, NULL,
-				LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL);
+				lasso_get_default_signature_method(), NULL);
 		if (key) {
 			lasso_list_add_new_sec_key(keys, key);
 		} else {
diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c
index ce322ee1f..cf6dade09 100644
--- a/lasso/xml/tools.c
+++ b/lasso/xml/tools.c
@@ -2746,7 +2746,7 @@ next:
 		content = xmlNodeGetContent(key_value);
 		if (content) {
 			result = lasso_xmlsec_load_private_key_from_buffer((char*)content,
-					strlen((char*)content), NULL, LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL);
+					strlen((char*)content), NULL, lasso_get_default_signature_method(), NULL);
 			xmlFree(content);
 		}
 	}
diff --git a/tests/basic_tests.c b/tests/basic_tests.c
index f9cfef266..0652abc28 100644
--- a/tests/basic_tests.c
+++ b/tests/basic_tests.c
@@ -2008,16 +2008,16 @@ START_TEST(test14_lasso_key)
 
 	check_true(g_file_get_contents(TESTSDATADIR "sp1-la/private-key-raw.pem", &buffer, &length, NULL));
 	check_not_null(key = lasso_key_new_for_signature_from_memory(buffer,
-				length, NULL, LASSO_SIGNATURE_METHOD_RSA_SHA1,
+				length, NULL, lasso_get_default_signature_method(),
 				NULL));
 	lasso_release_gobject(key);
 	check_not_null(key = lasso_key_new_for_signature_from_file(TESTSDATADIR
-				"sp1-la/private-key-raw.pem", NULL, LASSO_SIGNATURE_METHOD_RSA_SHA1,
+				"sp1-la/private-key-raw.pem", NULL, lasso_get_default_signature_method(),
 				NULL));
 	lasso_release_gobject(key);
 	base64_encoded = g_base64_encode(BAD_CAST buffer, length);
 	check_not_null(key = lasso_key_new_for_signature_from_base64_string(base64_encoded, NULL,
-				LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL));
+				lasso_get_default_signature_method(), NULL));
 	lasso_release_string(base64_encoded);
 	lasso_release_string(buffer);
 	lasso_release_gobject(key);
-- 
2.26.3
Resolves: rhbz#1935987 - lasso implements and/or uses the deprecated SHA1 algorithm by default 2021-06-24 19:10:57 +00:00			`From 0d34c97be1c761a9eb12692e4cc4eac58feb7d19 Mon Sep 17 00:00:00 2001`
			`From: Jakub Hrozek <jhrozek@redhat.com>`
			`Date: Tue, 15 Jun 2021 14:45:14 +0200`
			`Subject: [PATCH 4/7] Mass-replace LASSO_SIGNATURE_METHOD_RSA_SHA1 with`
			`lasso_get_default_signature_method() (#54037)`

			`This should be backwards-compatible but at the same time use the`
			`selected default instead of RSA-SHA1.`

			`Related:`
			`https://dev.entrouvert.org/issues/54037`
			`---`
			`lasso/id-ff/defederation.c \| 2 +-`
			`lasso/id-ff/logout.c \| 6 +++---`
			`lasso/id-ff/name_identifier_mapping.c \| 4 ++--`
			`lasso/id-ff/name_registration.c \| 4 ++--`
			`lasso/id-ff/provider.c \| 2 +-`
			`lasso/xml/tools.c \| 2 +-`
			`tests/basic_tests.c \| 6 +++---`
			`7 files changed, 13 insertions(+), 13 deletions(-)`

			`diff --git a/lasso/id-ff/defederation.c b/lasso/id-ff/defederation.c`
			`index d711e4eed..d2382f4ae 100644`
			`--- a/lasso/id-ff/defederation.c`
			`+++ b/lasso/id-ff/defederation.c`
			`@@ -251,7 +251,7 @@ lasso_defederation_init_notification(LassoDefederation defederation, gchar rem`
			`nameIdentifier,`
			`profile->server->certificate ?`
			`LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,`
			`- LASSO_SIGNATURE_METHOD_RSA_SHA1);`
			`+ lasso_get_default_signature_method());`
			`if (profile->msg_relayState) {`
			`message(G_LOG_LEVEL_WARNING,`
			`"RelayState was defined but can't be used "\`
			`diff --git a/lasso/id-ff/logout.c b/lasso/id-ff/logout.c`
			`index 20d04ed82..d307db586 100644`
			`--- a/lasso/id-ff/logout.c`
			`+++ b/lasso/id-ff/logout.c`
			`@@ -396,7 +396,7 @@ lasso_logout_build_response_msg(LassoLogout *logout)`
			`profile->server->certificate ?`
			`LASSO_SIGNATURE_TYPE_WITHX509 :`
			`LASSO_SIGNATURE_TYPE_SIMPLE,`
			`- LASSO_SIGNATURE_METHOD_RSA_SHA1));`
			`+ lasso_get_default_signature_method()));`
			`} else if (profile->http_request_method == LASSO_HTTP_METHOD_REDIRECT) {`
			`lasso_assign_new_gobject(profile->response,`
			`lasso_lib_logout_response_new_full(`
			`@@ -608,7 +608,7 @@ lasso_logout_init_request(LassoLogout logout, char remote_providerID,`
			`nameIdentifier,`
			`profile->server->certificate ?`
			`LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,`
			`- LASSO_SIGNATURE_METHOD_RSA_SHA1);`
			`+ lasso_get_default_signature_method());`
			`} else { /* http_method == LASSO_HTTP_METHOD_REDIRECT */`
			`is_http_redirect_get_method = TRUE;`
			`lib_logout_request = (LassoLibLogoutRequest*)lasso_lib_logout_request_new_full(`
			`@@ -990,7 +990,7 @@ lasso_logout_validate_request(LassoLogout *logout)`
			`logout_request,`
			`profile->server->certificate ?`
			`LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,`
			`- LASSO_SIGNATURE_METHOD_RSA_SHA1));`
			`+ lasso_get_default_signature_method()));`
			`}`
			`if (profile->http_request_method == LASSO_HTTP_METHOD_REDIRECT) {`
			`lasso_assign_new_gobject(profile->response, lasso_lib_logout_response_new_full(`
			`diff --git a/lasso/id-ff/name_identifier_mapping.c b/lasso/id-ff/name_identifier_mapping.c`
			`index 80af6fec4..f84020eb6 100644`
			`--- a/lasso/id-ff/name_identifier_mapping.c`
			`+++ b/lasso/id-ff/name_identifier_mapping.c`
			`@@ -259,7 +259,7 @@ lasso_name_identifier_mapping_init_request(LassoNameIdentifierMapping *mapping,`
			`targetNamespace,`
			`profile->server->certificate ?`
			`LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,`
			`- LASSO_SIGNATURE_METHOD_RSA_SHA1);`
			`+ lasso_get_default_signature_method());`
			`if (LASSO_IS_LIB_NAME_IDENTIFIER_MAPPING_REQUEST(profile->request) == FALSE) {`
			`return critical_error(LASSO_PROFILE_ERROR_BUILDING_REQUEST_FAILED);`
			`}`
			`@@ -458,7 +458,7 @@ lasso_name_identifier_mapping_validate_request(LassoNameIdentifierMapping *mappi`
			`request,`
			`profile->server->certificate ?`
			`LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,`
			`- LASSO_SIGNATURE_METHOD_RSA_SHA1);`
			`+ lasso_get_default_signature_method());`

			`if (LASSO_IS_LIB_NAME_IDENTIFIER_MAPPING_RESPONSE(profile->response) == FALSE) {`
			`return critical_error(LASSO_PROFILE_ERROR_BUILDING_RESPONSE_FAILED);`
			`diff --git a/lasso/id-ff/name_registration.c b/lasso/id-ff/name_registration.c`
			`index 11dbf24fe..076cf9624 100644`
			`--- a/lasso/id-ff/name_registration.c`
			`+++ b/lasso/id-ff/name_registration.c`
			`@@ -339,7 +339,7 @@ lasso_name_registration_init_request(LassoNameRegistration *name_registration,`
			`idpNameIdentifier, spNameIdentifier, oldNameIdentifier,`
			`profile->server->certificate ?`
			`LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,`
			`- LASSO_SIGNATURE_METHOD_RSA_SHA1);`
			`+ lasso_get_default_signature_method());`
			`if (profile->request == NULL) {`
			`return critical_error(LASSO_PROFILE_ERROR_BUILDING_REQUEST_FAILED);`
			`}`
			`@@ -575,7 +575,7 @@ lasso_name_registration_validate_request(LassoNameRegistration *name_registratio`
			`LASSO_LIB_REGISTER_NAME_IDENTIFIER_REQUEST(profile->request),`
			`profile->server->certificate ?`
			`LASSO_SIGNATURE_TYPE_WITHX509 : LASSO_SIGNATURE_TYPE_SIMPLE,`
			`- LASSO_SIGNATURE_METHOD_RSA_SHA1);`
			`+ lasso_get_default_signature_method());`
			`if (LASSO_IS_LIB_REGISTER_NAME_IDENTIFIER_RESPONSE(profile->response) == FALSE) {`
			`return critical_error(LASSO_PROFILE_ERROR_BUILDING_RESPONSE_FAILED);`
			`}`
			`diff --git a/lasso/id-ff/provider.c b/lasso/id-ff/provider.c`
			`index 32a907d43..961c3669d 100644`
			`--- a/lasso/id-ff/provider.c`
			`+++ b/lasso/id-ff/provider.c`
			`@@ -1274,7 +1274,7 @@ lasso_provider_load_public_key(LassoProvider *provider, LassoPublicKeyType publi`

			`if (public_key != NULL) {`
			`xmlSecKey *key = lasso_xmlsec_load_private_key(public_key, NULL,`
			`- LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL);`
			`+ lasso_get_default_signature_method(), NULL);`
			`if (key) {`
			`lasso_list_add_new_sec_key(keys, key);`
			`} else {`
			`diff --git a/lasso/xml/tools.c b/lasso/xml/tools.c`
			`index ce322ee1f..cf6dade09 100644`
			`--- a/lasso/xml/tools.c`
			`+++ b/lasso/xml/tools.c`
			`@@ -2746,7 +2746,7 @@ next:`
			`content = xmlNodeGetContent(key_value);`
			`if (content) {`
			`result = lasso_xmlsec_load_private_key_from_buffer((char*)content,`
			`- strlen((char*)content), NULL, LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL);`
			`+ strlen((char*)content), NULL, lasso_get_default_signature_method(), NULL);`
			`xmlFree(content);`
			`}`
			`}`
			`diff --git a/tests/basic_tests.c b/tests/basic_tests.c`
			`index f9cfef266..0652abc28 100644`
			`--- a/tests/basic_tests.c`
			`+++ b/tests/basic_tests.c`
			`@@ -2008,16 +2008,16 @@ START_TEST(test14_lasso_key)`

			`check_true(g_file_get_contents(TESTSDATADIR "sp1-la/private-key-raw.pem", &buffer, &length, NULL));`
			`check_not_null(key = lasso_key_new_for_signature_from_memory(buffer,`
			`- length, NULL, LASSO_SIGNATURE_METHOD_RSA_SHA1,`
			`+ length, NULL, lasso_get_default_signature_method(),`
			`NULL));`
			`lasso_release_gobject(key);`
			`check_not_null(key = lasso_key_new_for_signature_from_file(TESTSDATADIR`
			`- "sp1-la/private-key-raw.pem", NULL, LASSO_SIGNATURE_METHOD_RSA_SHA1,`
			`+ "sp1-la/private-key-raw.pem", NULL, lasso_get_default_signature_method(),`
			`NULL));`
			`lasso_release_gobject(key);`
			`base64_encoded = g_base64_encode(BAD_CAST buffer, length);`
			`check_not_null(key = lasso_key_new_for_signature_from_base64_string(base64_encoded, NULL,`
			`- LASSO_SIGNATURE_METHOD_RSA_SHA1, NULL));`
			`+ lasso_get_default_signature_method(), NULL));`
			`lasso_release_string(base64_encoded);`
			`lasso_release_string(buffer);`
			`lasso_release_gobject(key);`
			`--`
			`2.26.3`